Contact Information

How to Avoid Being a Hacker Victim

posted Sep 24, 2015, 11:51 AM by Resty Manapat

Following
in the wake of the recently publicized attacks on government databases and
systems, all CIOs and chief security officers should assume their own
organizations could be next and must proactively revisit their technologies and
processes to ensure they are capable of preventing a breach.

“Conventional thinking in IT has been to
prevent being hacked altogether, and that has proven impossible to achieve. CIO
and CSOs should assume they will be hacked, and turn their attention to
technologies that detect breaches early and block the exfiltration of data,”
Nat Kausik, CEO ofBitglass, told Enterprise Technology. “In short, focus on
risk management.”

Security and technology professionals also
must manage expectations: A breach is always possible, especially if hackers
have their sights set specifically on your organization, security experts warn.
But by taking multiple steps to protect the most valuable intellectual property
and sensitive data, organizations can reduce damage.

“It’s time to double down and give the job of
securing valuable data the resources it needs,” said Jean Taggart, senior
security researcher atMalwarebytes Labs, research arm of the anti-malware developer,
in an interview.

Those resources must include automation.
Relying on humans – who can too easily forget, change jobs, or make errors –
can result in the type of situation that justoccurred at the Internal Revenue Service, where most
security recommendations were not implemented, said Kausik.

“At the end of the day, insiders must have
access to and handle sensitive information. And insiders are human; relying on
best practices is relying on humans not to make mistakes,” he said. “Technology
is a better answer – to automate things that humans must do. Organizations must
assume that humans will make mistakes and design security technologies that
limit the damage from those mistakes.”

Well-trained security analysts must monitor
these tools, said Taggart.

“Breaking up the records in smaller parts,
that are encrypted with salted hashes, and having access to [that] data
vigilantly monitored is the bare minimum required to mitigate these types of
data breaches,” he said. “Anomalous traffic monitoring, data exfiltration
monitoring, intrusion detection systems all should be deployed, but more
importantly, properly trained security staff should be looking at the logs
these solutions generate.”

Ongoing user education is vital to protect
organizations from both new and old hacker tactics. After all,social engineeringoften provides an entry point to
malware.

“Educating the user is critically important.
Awareness courses, simulated phishing campaigns, and sanctioned penetration
tests will help identify where defenses should be shored up,” said Taggart.

“The
trick to educating your users against social engineering techniques is to make
sure that they don’t feel victimized if they fall prey to these techniques as
part of a sanctioned assessment. A user who has fallen for a phishing email,
and has had an awareness course as a result is much more likely to spot a real
phish attempt, when it presents itself in his or her inbox.”

Please consult an attorney for advice about your individual situation. This site and its information is not legal advice, nor is it intended to be. Feel free to get in touch by electronic mail, letters or phone calls, please withhold from sending any confidential information to us.